Haifa U Computer Dep't Finds Security Hole in Microsoft Windows

Research team: "There is room for concern at large companies, and for people who manage sensitive information. Their data privacy is at risk."

First Publish: 11/12/2007, 12:36 PM

A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa found a security vulnerability in Microsoft's "Windows 2000" Operating System.

All correspondence that was typed into a computer using Windows 2000 is susceptible to tracking, including emails, passwords, and credit card numbers. "This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," said Dr. Pinkas.

Various security vulnerabilities in different computer operating systems have been discovered over the years. While previous security breaches enabled hackers to follow correspondence from the time of the breach onwards, this newly-discovered loophole enables hackers to access information sent prior to the security breach and even information that is no longer stored on the computer.

The researchers, which included Hebrew University graduate students Zvi Gutterman and Leo Dorrendorf, found the loophole in the random number generator of Windows. This is a program which is, among other things, a critical building block for file and email encryption, and for the SSL encryption protocol which is used by all Internet browsers.

For example, in correspondence with a bank or any other website that requires typing in a password, or a credit card number, the random number generator creates a random encryption key, which is used to encrypt the communication so that only the target website can read the correspondence. The research team deciphered how the random number generator works enabling them to compute previous and future encryption keys, and eavesdrop on private communication.

The researchers notified the Microsoft security response team about their discovery.

"There is no doubt that hacking into a computer using our method requires advanced planning. On the other hand, simpler security breaches also require planning, and I believe that there is room for concern at large companies, and for people who manage sensitive information. They should understand that the privacy of their data is at risk," explained Dr. Pinkas.

Although they only checked "Windows 2000" (which is currently the third most popular operating system in use), the research team assumes that newer versions of "Windows", such as XP and Vista, use similar random number generators and may also be vulnerable.

Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the "Windows" security system to enable computer security experts outside Microsoft to evaluate their effectiveness.

The results of the research are described in a scientific paper entitled "Cryptanalysis of the Windows Random Number Generator", which was presented at the ACM Conference on Computer and Communications Security which took place in Alexandria, Virginia on October 29 - November 2, 2007. The paper is available for download at http://eprint.iacr.org/2007/419 .